Bug Fixes¶

• Fixes missing way for kolla-toolbox to be built offline.LP#2020761

• Fixes an issue with Elasticsearch curator not working dueto too new python elasticsearch-curator library not compatiblewith Elasticsearch version 7.LP#2028048

Bug Fixes¶

• Fixes an issue where the scriptkolla_ensure_openvswitch_configured intheopenvswitch-db-server image would ignore errors encountered whileconfiguring bridges and ports.LP#1999778

Bug Fixes¶

• RabbitMQ version has been updated to 3.9 and ERLang has been updated to 25.Previously used versions (3.8 and 23) have been marked as end-of-life andare not supported anymore as of August 2022.

• Fixes an issue with Swift deployment via Kolla Ansible caused bythe fix to CVE-2022-38060.The kolla-toolbox container now have its own sudoers secure_pathconfiguration which allows the necessary binaries to execute.

Other Notes¶

• Added ‘–retry 5’ to curlrc to improve curl downloads during image builds.

Upgrade Notes¶

• To fix CVE-2022-38060, support for KOLLA_CONFIG and KOLLA_CONFIG_FILEenvironment variables in kolla-built containers has been dropped.Now, only the single trusted path of/var/lib/kolla/config_files/config.json will be utilised for loadingcontainer config.We believe this is a reasonable tradeoff as these environment variableswere not used by any known downstream and potential users in the wildcan easily adapt as this does not limit the functionality per se, onlymaking it stricter as to where the config can come from.

Security Issues¶

• Fixes CVE-2022-38060, a sudo privilege escalation vulnerability.LP#1985784

Bug Fixes¶

• Fixes problems when running with docker-py >=6.LP#1988121

New Features¶

• Add templating block for base image helping to customize pip settings usedat build time for offline build scenario. We need some required environmentvariables configured at the top level for all containers, for example thevariable UPPER_CONSTRAINTS_FILE used by the bifrost-deploy installationscripts. Also here we can override the address of the PyPI repository viaPIP_INDEX_URL, PIP_EXTRA_INDEX_URL, and PIP_TRUSTED_HOST variables.

Upgrade Notes¶

• All Dockerfile files which uses curl to download any external files from theInternet URLs now have the corresponding version templating block which canbe used to override them. Also all the ENV instructions inside these blocksconverted to the ARG instructions to minimize the unneeded variables.

Bug Fixes¶

• Fixes wrong update-alternatives usage on CentOS.LP#1936947

New Features¶

• Updates the OpenStack exporter for Prometheus toversion 1.6.0.

• Added an–repos-yaml argument to allow user to provide own file withdefinitions of external package repositories. Useful for those buildingin offline environments with set of internal mirrors.

Upgrade Notes¶

• The updated OpenStack exporter for Prometheus uses the latest Nova APImicroversion by default, resulting in changes to existing metrics. To keepexisting behaviour, setprometheus_openstack_exporter_compute_api_version to2.1.

Bug Fixes¶

• Theapt-getupdate command by default didn’t fail on erroneous sourcerepositories, it show the warning ‘W: Some index files failed to download.They have been ignored, or old ones used instead.’ and continue to work.This causes some containers (eg. rabbitmq, kolla-toolbox) successfullybuilt, but makes them inconsistent because the official Ubuntu repositorycontains packages with the same names. Now we useapt-get-eanyupdatecommand to stop building with an error in such cases.

• Fixes CentOS builds of Skydive SEGV on startup.Skydive versions prior to 0.28.0 panic on newer versions of libc.This especially affects Centos 8.LP#1940862

New Features¶

• Added a container image for Prometheus libvirt exporter, to be used for monitoring deployments which provide VMs with libvirt.

• Adds Cyrus SASL packages necessary for the DIGEST-MD5 and SCRAM-SHA-256mechanisms. These can be used for libvirt SASL authentication.LP#1964013

• Quiet mode (enabled with--quiet argument) can be combined with--logs-dir option now. Console output will be quiet as expected whilebuilding output will be stored in separate log files.

Upgrade Notes¶

• The Debian and Ubuntu images use rabbitmq and erlang from cloudsmith now.Operators might want to mirror/proxy this new source as it provides thecorrect set of packages unlike the previous combination.

Security Issues¶

• Adds mitigation for Apache Log4j 2 Remote Code Execution (RCE)vulnerabilities CVE-2021-44228 and CVE-2021-45046 to Apache Storm.

Bug Fixes¶

• Fixes an issue with Ironic deployments using UEFI and iPXE, where thedefault UEFI iPXE bootloader in Ironic was not available in the TFTPserver. This affects all Kolla releases on CentOS, and Xena onDebian/Ubuntu.LP#1959203

• Installsglusterfs-client in Debian and Ubuntumanila-share imagesto support GlusterFS across supported distributions.LP#1964140

• Latest version of the elasticsearch gem no longer works with older(OSS) versions of Elasticsearch. This is fixed by capping the versionof the elasticsearch gem installed into the fluentd container.LP#1954759

• Fixes an issue when older version of Python OpenvSwitch bindings packagewas used, than the running OpenvSwitch code.LP#1961874

• Fix AArch64 ubuntu ironic-python-agent images UEFI PXE booting failure.Also fix x86_64 lacking of GRUB efi files issue.LP#1879265

• Fixes an issue building images that use a source with atype ofgit, when using a git that includes the fix forCVE-2022-24765 (2.35.2or later). By default, this includes thegnocchi-base image, but mayinclude other images with a non-default configuration.LP#837710

• Fixes disabling the use of thecurlrc configuration file inhealthcheck_curl.LP#1967272

• Fixes an issue seen when using Jinja2 3.1.0.

• Fixes an issue with missing Magnum Keystone auth default policy.LP#1957159

• Fixes the Debian and Ubuntu images to use rabbitmq and erlang fromcloudsmith so that the images are still buildable and use proper versions.

• Fixes set_configs.py configuring same permission for directories and files,causing directories lacking execute permission if not set for files.

Bug Fixes¶

• CentOSnova-compute image haslinux-firmware package removed to saveimage size by ~500MB.LP#1926801

• Fixes “Permission denied” issue for swift-recon tool that appears whenswift-recon tool tries to access deafult recon_lock_path

• Nova images are built withoutpypowervm package. It is needed only forPOWER architecture support (which we do not support) and breaks CentOSbuilds by trying to install (Python 2 only) ‘futures’ package.

• Ensures thenvme-cli package is present innova-compute images, asit expected byos-brick.

New Features¶

• Add masakari-dashboard to Debian binary Horizon image.

• Adds the Monasca datasource plugin to the Grafana image. Thisallows Monasca users to visualise metrics in Grafana withoutusing the Monasca Grafana fork.

• Updates Ceph client packages in CentOS images to Pacific.

• Support for Debian/Ubuntu binary (aka packaged) CloudKitty images.

• Debian ‘bullseye’ is now used instead of ‘buster’. Bullseye is the currentstable release of Debian. Several images gained Debian support with thismove.

• Adds support for theironic-neutron-agent image in Debian and Ubuntubinary images. Also adds support for thebaremetal ML2 driver in theneutron-server image in Debian and Ubuntu binary images.

• Improve the way offline scenario are supported:

  • Switching dumb-init installation to distribution provided packages.

• OVN images are now buildable for Debian on x86-64 architecture.

• Adds proxysql image. Proxysql provides intelligent load balancing for databases.

• Allow to set group for user.

• cAdvisor has been updated to 0.38.7 version.

Upgrade Notes¶

• Kolla toolbox is now using ansible-core 2.11.

• Format of APT keys has changed from simple list into dictionary. Forbase_apt_keys we now use name and key ids and forremote_apt_keysnames and URLs.

  This allows to instruct APT to use those keys only for their repositoriesinstead of trusting them for all possible packages.

  If you overridebase_apt_keys orremote_apt_keys then please adaptto the new format.

• CentOS now uses upstream MariaDB repos (thus following the imagesof the other two distros). This is done to simplify MariaDB versionmanagement on Kolla side.The chosen version is synced with Debian and Ubuntu to 10.5.Operators may want to reflect this in their repo mirrors andproxies.

• Debian now uses upstream MariaDB repos (thus following Ubuntuimages). This is done to avoid issues like the related one andhave an easy workaround of pinning to chosen MariaDB version ifneed arises.Operators may want to reflect this in their repo mirrors andproxies.LP#1944410

• Updates the default image type tosource. Users wishing to buildbinary type images should either specify the--typebinary CLIargument or set[DEFAULT]type=binary inkolla-build.conf.This change is to reflect the reality that source images are tested morethoroughly and we (as OpenStack community) have better control over them.

• Themonasca-grafana image has been dropped because it was using severaldeprecated components and was not buildable.Support forMonasca datasource was added into standardgrafanainstead.

• Support for building containers for ppc64le architecture was dropped.

• Support for using Red Hat Enterprise Linux as base of container images wasdropped. Please migrate to using CentOS Stream 8 based images.

• Gnocchi version has been updated to4.4.1.

• haproxy packages have been upgraded to 2.2.

• Changed default ofnetwork_mode tohost since Kolla-Ansiblebootstrap-servers is deploying Docker without a bridge by defaultsinceWallaby

• Neutron images now only provideapi-paste.ini in/etc/neutroninstead of/usr/share/neutron. Custom configuration files will need tobe updated.

• chrony image has been removed.

• Support for panko has been removed due to upstream retirement.

• Prometheus v1 image has been removed.

• TheRally andTempest projects are not OpenStack services,but clients. Its images and support have been removed since Xena cycle.

• Ubuntu now uses MariaDB 10.5 to sync with Debian.

Deprecation Notes¶

• Support for building ppc64le container images has been deprecated inWallaby cycle and got removed in Xena.

• Thetempest andrally images were removed in the Xena cycle.The reason is that these are not services of an OpenStack cloud butits clients.

Security Issues¶

• Fixes security issue in Prometheus as peradvisory.

Bug Fixes¶

• Adds an option to the monasca-thresh container which checksif the topology is currently submitted (KOLLA_BOOTSTRAP), withan option to kill it (TOPOLOGY_REPLACE). Topology namesand various timeouts may be customized.LP#1808805

• Fixes missing boto3 library required by glance_store.LP#1884259

• Fixes location of monitoring_policy in Horizon, so accesspolicy is correctly enforced. Note that by current default,admin doesn’t not have Monitoring access.LP#1928408

• Fix support for kolla install in~/.local.LP#1930544

• Fixes an issue with logs going missing in the Fluentd pipelineby pinning td-agent to 4.0.* also on Debian.LP#1930867 [Debian]

• Fixes an issue with logs going missing in the Fluentd pipelineby pinning td-agent to 4.0.*.LP#1930867

• Fixes issues arising from the lack of Debian updates repo being enabled.LP#1931544

• Fix missing default policy files for debian-binary-horizon.LP#1933759

• Fixes Debian image build failure caused by the officialDebian bullseye release changing the os identification.LP#1933770

• Fixes user uid inconsistency beetween base and openstack-baseDebian binary images.LP#1934753

• Add missing pacemaker cli utils to Debian hacluster images.LP#1934788

• Fixes an issue with cinder-volume missinglsscsi andnvme commandson Debian and Ubuntu.LP#1942038

• Fixes kolla-toolbox ansible.log logging for different users than ansible.LP#1942846

• Fixes an issue with Elasticsearch curator not working due to too newpython elasticsearch library.LP#1941073

• Fixes an issue with the logstash image which was incompatible with the lastOSS version (7.10) of Elasticsearch. Logstash is now pinned to 7.9.LP#1941754

Other Notes¶

• Debian images enable the Debian updates repo now. This is aligned withthe base Debian image.

• Removespymongo installation from images.